Looking back to 2013, I had predicted the 5 top technology trends (specifically for consumers) in that year, to be:
(i) Accelerated lived experience;
(ii) Bring Your Own Device (BYOD);
(iii) Crowdsourcing;
(iv) Distance education; and
(v) End-User legal authority/license autonomy/leveraged ability (EULA3). [1]
These pretty much held true, and even lasted both into and through 2014. The pace of instantaneous news, social tweets and alerts, and all manner of reality TV from financing pitches, through entire shows that are literally “celebrity selfie-cams”, to instantaneous gratification through crowd sourcing of funding, business and consumer information, and general gossip, have created this ever accelerating lived experience. Ever greater sales of handheld devices have forced employers to draft BYOD policies for employees too attached to their own devices to let them go, and all manner of distance education is now available for a fee, or for free in the ever-expanding offerings of Massive Open Online Course (MOOC).[2] As well, immersive gaming, as it develops with optional story lines, the move to taking software bits as building blocks for people to create their own widgets and full applications, and the myriad of customizable self-help, professional, and practical document templates available online, taken together, will only further speed EULA3.[3]
Fully justified then (and thankfully so) in my predictions, let us now move on to 2015-16, then. Here, in the midst of technology and its relentless forward motion, all I see – is “Paper”! This stands for:
Personalization;
A3 (aggregation, analytics, and advising);
Protection;
eMoney; and
Remoting. We will consider them in turn, and in that order.
Personalization:
Whether it is widgets, backgrounds, wallpapers, icons, ringtones, and home screen layouts of the ipod, android, iphone, desktop, laptop, or tablet,[4] personalization and customization are all the rage for maximizing the user-centric experience.
“The constantly connected consumers of today are extremely savvy, using all available channels and devices to research, review, compare prices and ultimately purchase products. Basic personalization (such as name and account personalization and dynamic interest or product content) no longer serves consumers’ demand for deeper levels of real-time personalized information. Increasingly, these savvy consumers are taking their business to companies that provide more than basic personalization and automated lifecycle campaigns. Customers now prefer brands that deliver individualized experiences that match their needs in the present moment”.[5]
Even giants of the online world, such as Yahoo,[6] have now realized that the way to truly reach and engage your customer, it to intimately know your customer for and through, “Real-time Marketing”[7] and personalization practices. Personalization is based on gathering and analyzing observation data, to analyze and make predictions based upon what you know. This is why A3, which underlies real-time marketing, will also be a top trend for 2015-16, in my prediction.
A3 (Aggregation, Analytics, and Advising):
The SAS Institute, Inc., put out a 2013 white paper on demand sensing and shaping through big data analytics,[8] which perfectly sums-up the first stage of the real-time marketing process. In the second stage, I would add demand supporting and serving, which sustains that demand in existence by providing those cues to trigger it (familiarity, emotional advertising triggers, positive associations in product placement, and so forth), and thence return customers to your established, satisfaction-source.
Big Data (and its means of collection)[9] do have other applications beyond the pure consumer, however. These include generic disaster management applications,[10] and estimating or better “guess”-timating the true incremental and future impacts of climate change on humans and the environment.[11]
Protection:
With all of this data and its very many faces,[12] along with the potential to gather and analyze it, and the undisputed value of the end result in the predictive analytics space, there is a growing need at all levels, for more robust protective mechanisms – wherever it falls on the spectrum of privacy practices,[13] data governance and document preservation, or cybersecurity. IT in general, is looking forward to a banner year in 2015.[14] The IT security sub-sector, for its part, is not too far off, either, with a spate of increasingly spectacular, recent[15] and historical[16] hacks and cyberattacks drawing the attention of the risk management industry,[17] regulators,[18] private businesses,[19] and concerned citizens in an ongoing and multi-sided tussle,[20] both amongst themselves and with criminal elements. A very large data breach was just disclosed at Anthem Inc. (a health insurer with operations across 14 states), in which up to 80 million records of Personally Identifiable Information (PII) – but apparently no Personal Health Information (PHI), according to initial evaluations – are suspected to have been compromised.[21]
eMoney:
Despite the dangers and concerns, however, the pace of progress continues to pick-up, with electronic payments of the Paypal variety moving to Square and eMoney, in the largely unregulated (and hacked)[22] Bitcoin, and the more mainstream proposed and competing offerings of CurrentC from the Merchant Customer Exchange (MCX) – which was also hacked,[23] and Google Wallet, Softcard, and Apple Pay.
Remoting:
With ever-more personalized experiences being available through more and more interconnected devices, we are moving towards an Internet of Things (IoT) that raises even more cybersecurity concerns that now include remote access and remote control/takeover,[24] whether or not authorized or even traceable back to source.[25] This has led one commentator to describe this future state as the “Internet of Bad Things”.[26] Going further to consider the impetus for a change in our security mindset, consider the words of Dr. Arati Prabhakar, the director of the United States Defence Advanced Research Projects Agency (DARPA), when she said:
“The largest explosion of millisecond machine actions will take place when billions of IoT devices are deployed. Until we find a way to authenticate, view, audit, analyze and block IoT devices often connected to cloud computing, we frankly shouldn’t be putting IoT out there. As the security industry saying goes, “money trumps security,” and as increasingly more of these IoT product (sic) are released, cybersecurity will just be playing catch-up. With potentially billions of these devices being deployed all over the world, this could lead to a cyber attack free-for-all of catastrophic proportions.”[27]
However, remoting is not all doom and gloom. Witness the growing use of crowdfunding to raise money for important events, popular initiatives, or proposed or emerging or growing business ventures; and even the burgeoning business of “pay to watch” that has now gone from the original voyeur cams, through specialized YouTube channels where you can pay to watch people play video games,[28] or modern day South Korea, where people will pay to remotely watch someone – a “broadcast jockey” – do something as mundane as eating.[29] Drones, scene capture devices, and wearable devices in ever-lighter cameras (from glass and its successors, through GoPro, police cam, dash cam, spy cam, home surveillance, commercial and industrial surveillance, government surveillance, and mobile devices in any and all form factors now known or yet to come, and from the clunky to the micro- or nano-scale), will combine[30] to bring more, and ever uniquer, shareable, monetizable remoting experiences to come![31]
CONCLUSION
These then, are my PAPER predictions for technology in 2015-16 – Personalization, A3 (aggregation, analytics, and advising), Protections, eMoney, and Remoting. I think they will come to fruition, just as predicted, but we have to wait and see. Enjoy the view!
*****************************************************************
Author:
Ekundayo George is a lawyer and sociologist. He has also taken courses in organizational and micro-organizational behavior, and gained significant experiences in business law and counseling, diverse litigation, and regulatory compliance practice. He is licensed to practice law in Ontario and Alberta, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America. See, for example: http://www.ogalaws.com. A writer, blogger, and avid reader, Mr. George has sector experience in Technology (Telecommunications, eCommerce, Outsourcing, Cloud), Financial Services, Healthcare, Entertainment, Real Estate and Zoning, International/cross-border trade, other services, and Environmental Law and Policy. He is a published author on the National Security aspects of Environmental Law, has represented clients in courts and before regulatory bodies in both Canada and the United States, and he enjoys complex systems analysis in legal, technological, and societal milieux.
Trained in Legal Project Management (and having organized and managed several complex projects before practicing law), Mr. George is also an experienced negotiator, facilitator, team leader, and strategic consultant – sourcing, managing, and delivering on complex engagements with multiple stakeholders and multidisciplinary teams. Team consulting competencies include program investigation, sub-contracted procurement of personnel and materials, and such diverse project deliverables as business process re-engineering, devising and delivering tailored training, and other targeted engagements through tapping a highly-credentialed resource pool of contract professionals with several hundred years of combined expertise, in: Healthcare; Education & Training; Law & Regulation; Policy & Plans; Statistics, Economics, & Evaluations including feasibility studies; Infrastructure; and Information Technology/Information Systems (IT/IS) – also sometimes termed Information Communications Technologies (ICT). See, for example: http://www.simprime-ca.com.
Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.
This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering of any professional service, or attorney advertising where restricted or barred. The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein. Past results are no guarantee of future success, and specific legal advice should be sought for particular matters through counsel of your choosing, based on such factors as you deem appropriate.
[1] Ekundayo George. Ctrl-Shift-Del: 2013’s Top 5 Technology Trends for Consumers. Posted March 16, 2013, on ogalaws.wordpress.com. Online: >https://ogalaws.wordpress.com/2013/03/16/ctrl-shift-del-2013s-top-5-technology-trends-for-consumers/<
[2] Wikipedia.org. Massive Open Online Course (MOOC), a definition. Online: >http://en.wikipedia.org/wiki/Massive_open_online_course<
[3] Supra note 1.
[4] See e.g. selected Android personalization offerings, on display for download at the google store. Online:
>https://play.google.com/store/apps/category/PERSONALIZATION<
[5] Katrina Conn. Moving Beyond Basic Personalization to Real-Time Marketing. Posted January 7, 2014, on Clickz.com. Online: >http://www.clickz.com/clickz/column/2321243/moving-beyond-basic-personalization-to-real-time-marketing<
[6] Yahoo. The Balancing Act: Getting Personalization Right. Posted on yahoo.com. Online: >https://advertising.yahoo.com/Insights/BALANCING-ACT.html<
[7] Supra note 5. “Real-time marketing is the ongoing cycle of engagement, data management, analytical insights and optimization – performed continuously and immediately. In other words, it’s the streamlined management of data, transformed into actionable insight that is used to enhance your customer’s experience.”
[8] The SAS Institute. White Paper: Unlocking the Promise of Demand Sensing and Shaping Through Big Data Analytics – How to Apply High-Performance Analytics in Your Supply Chain. Published on idgenterprise.com, and visited February 2, 2015. Online: >http://resources.idgenterprise.com/original/AST-0112051_UnlockingPromise.pdf<
[9] Dennis Keohane. Aaron Levie, Box see drones and Internet of Things as data sources of the future. Posted September 23, 2014, on betaboston.com. Online: >http://betaboston.com/news/2014/09/23/aaron-levie-box-data-drones-internet-of-things/<
[10] See e.g. Robert A. Runge and Isabel Runge. Data-Driven Disaster Management. Posted October 29, 2014, on nextgov.com. Online: >http://www.nextgov.com/technology-news/tech-insider/2014/10/data-driven-disaster-management/97700/?oref=voicesmodule<
[11] See e.g. Chelsea Harvey. UN REPORT: Our Climate Change Future Is Terrifying And Emissions Need To Stop Completely As Soon As Possible. Posted November 4, 2014, on businessinsider.com. Online: >
http://www.businessinsider.com/un-climate-report-stop-all-greenhouse-emissions-2014-11
< ; See also Carl Zimmer. Ocean Life Faces Mass Extinction, Broad Study Says. Posted January 15, 2015, on nytimes.com. Online: >http://www.nytimes.com/2015/01/16/science/earth/study-raises-alarm-for-health-of-ocean-life.html?_r=0<
[12] Ekundayo George. The 100 “FACES” of Data: a 5-part Complex Systems Study (Part 1 – Form Factors). Posted November 1, 2013, on ogalaws.wordpress.com. Online: >https://ogalaws.wordpress.com/2013/11/01/the-100-faces-of-data-a-5-part-complex-systems-study-part-1/<
[13] Amber Hunt, The Cincinnati Enquirer. Experts: Wearable tech tests our privacy limits. Posted February 5, 2015, on usatoday.com. Online: >http://www.usatoday.com/story/tech/2015/02/05/tech-wearables-privacy/22955707/< In one of my earlier blogs (if updated), the “User-Generated Legality Issues” (UGLIs) created by these treasure troves of “quantified self” data available through wearable devices, would be “self-outing 104”.
See e.g. Ekundayo George. The Video Privacy Protection Act (VPPA) Amendment of 2012 – Self-Outing 103? Posted January 11, 2013, on ogalaws.wordpress.com. Online: >https://ogalaws.wordpress.com/2013/01/11/the-video-privacy-protection-act-vppa-amendment-of-2013-self-outing-103/<
[14] Steve Ranger. Bigger budgets, better tech: Why 2015 is a good year to be working in IT. Posted February 4, 2015, on techrepublic.com. Online: >http://www.techrepublic.com/blog/european-technology/bigger-budgets-better-tech-why-2015-is-a-good-year-to-be-working-in-it/?tag=nl.e101&s_cid=e101&ttag=e101&ftag=TRE684d531<
[15] Pedro Hernandez. Xbox Live, PSN Back Online After Holiday DDoS Attacks. Posted December 29, 2014, on eweek.com. Online: >http://www.eweek.com/security/xbox-live-psn-back-online-after-holiday-ddos-attacks.html< See also the comprehensive hacking and public shaming of Sony, through compromised emails.
[16] I referenced several of the more historical, spectacular hacks in this earlier blog post. Ekundayo George. Cybersecurity: Its not just about “B” for Bob, but also eCommerce, Structure, and Trust. Posted November 3, 2014, on ogalaws.wordpress.com. Online: >https://ogalaws.wordpress.com/2014/11/03/cybersecurity-its-not-just-about-b-for-bob-but-also-ecommerce-structure-and-trust/<
[17] Pinsent Masons (out-law.com), citing the Institute of Chartered Accountants in England and Wales (ICAEW).
Cyber risks evolving faster than business capabilities, says accountancy body. Posted October 30, 2014, on out-law.com. Online: >http://www.out-law.com/en/articles/2014/october/cyber-risks-evolving-faster-than-business-capabilities-says-accountancy-body/<
[18] Aliya Sternstein. Report: Agencies Aren’t Properly Vetting All Cyber Contractors. Published September 9, 2014, on nextgov.com. Online: >http://www.nextgov.com/cybersecurity/2014/09/agencies-contractor-employees-cyber-workforce/93620/<
[19] Aliya Sternstein. 97 Percent of Key Industries Doubt Security Compliance Can Defy Hackers. Posted July 10, 2014, on nextgov.com. Online: >http://www.nextgov.com/cybersecurity/2014/07/97-percent-key-industries-doubt-security-compliance-can-defy-hackers/88324/?oref=ng-relatedstories<
[20] See e.g. In the Matter of a Warrant to Search a Certain email Account Controlled and Maintained by Microsoft Corporation. Memorandum and Order of James C. Francis IV, United States Magistrate Judge, released April 25, 2014. 13 Mag. 3814, United States District Court for the Southern District of New York (SDNY). Online: >https://s3.amazonaws.com/s3.documentcloud.org/documents/1149373/in-re-matter-of-warrant.pdf<
Just reading through this decision, which from the first paragraph defines the complexity of this issue, shows the many interests, laws and policies, and considerations at stake in that constant tussle between individual rights and privacy, business interests (including the personalization push), and the mandates of law enforcement and national security – whether nationally and across borders, or when multiple nations do or claim to have a primary stake.
The further steps since taken in that ongoing effort by the United States government to access emails stored on servers that are physically located in Ireland, only further underline the complexities and interests at stake. See also Mark Scott. Ireland Lends Support to Microsoft in Email Privacy Case. Posted December 25, 2014, on bits.blogs.nytimes.com. Online:>http://bits.blogs.nytimes.com/2014/12/24/ireland-lends-support-to-microsoft-in-email-privacy-case/?_r=0&module=ArrowsNav&contentCollection=Technology&action=keypress®ion=FixedLeft&pgtype=Blogs<
[21] Elizabeth Weise, USA Today. Massive breach at health care company Anthem Inc. Posted February 5, 2015, on usatoday.com. Online: >http://www.usatoday.com/story/tech/2015/02/04/health-care-anthem-hacked/22900925/<
[22] Zack Whittaker for Zero Day. Bitstamp exchange hacked, $5M worth of bitcoin stolen. Posted January 5, 2015, on zdnet.com. Online: >http://www.zdnet.com/article/bitstamp-bitcoin-exchange-suspended-amid-hack-concerns-heres-what-we-know/<
[23] Ryan Mac, Forbes Staff. Apple Pay Rival and Walmart-backed MCX Hacked, User Emails Snatched. Posted October 29, 2014, on forbes.com. Online: >http://www.forbes.com/sites/ryanmac/2014/10/29/apple-pay-rival-and-walmart-backed-mcx-hacked-user-emails-compromised/<
[24] Katie Fehrenbacher. The real breakthrough of Google Glass: controlling the internet of things. Posted March 23, 2013, on gigacom.com. Online: >https://gigaom.com/2013/03/23/the-real-breakthrough-of-google-glass-controlling-the-internet-of-things/<
[25] Larry Karisny. Getting Cybersecurity to Actually Work: More Connections, More Problems. Posted September 15, 2014, on digitalcommunities.com. >http://www.digitalcommunities.com/articles/Getting-Cybersecurity-to-Actually-Work.html<
“Before we discuss solutions to these cybersecurity problems, let’s take a look at what the future looks like in our continually interconnected world. From social media to smart phones apps to the IoT promise of smart everything, we are reaching a point of truly not knowing what is connect to what — and hackers know this. Take the Target breach — the attacker used backdoor access to the company’s energy management systems to then access a server containing confidential customer information. We are increasing (sic) digitizing our people and machine processes, and are beginning to lose control of what we are doing.”
[26] Zach Ferres. The Internet of (Bad) Things. Posted November 5, 2014, on linkedin.com. Online: >https://www.linkedin.com/pulse/article/20141105140616-28760747-the-internet-of-bad-things<
[27] Larry Karisny. DARPA Director Calls for Cybersecurity Change. Posted November 7, 2014, on digitalcommunities.com. Online: >http://www.digitalcommunities.com/articles/DARPA-Director-Calls-for-Cybersecurity-Change.html<
[28] By Josh Warwick, video by Phil Allen. Meet the 21-year-old YouTuber who made millions playing video games. Posted October 16, 2014, on telegraph.co.uk. Online: >http://www.telegraph.co.uk/men/the-filter/11139724/Meet-the-21-year-old-YouTuber-who-made-millions-playing-video-games.html<
[29] Stephen Evans. The Koreans who televise themselves eating dinner. Posted February 4, 2015, on BBC.com. Online: >http://www.bbc.com/news/magazine-31130947<
[30] Luisa Rollenhagen. Guy Hacks Google Glass to Steer Drone. Posted August 23, 2013 on mashable.com. Online:
>http://mashable.com/2013/08/24/drone-pilots-google-glass/<
[31] See e.g. Erin Carson. 2015: 4 IT job skills for the new year. Posted January 8, 2015, on techrepublic.com. Online: >http://www.techrepublic.com/article/2015-4-it-job-skills-for-the-new-year/<
Canvassing conventional and learned wisdom, I would humbly say that at least one of my predictions (protections) is echoed and supported in the focus here on “security skills” in this piece by HR and IT professionals. Three of my other predictions (Remoting, A3, and Personalization) are at least strongly implicated, in the call for “versatility” and skills in “project management”. “Desktop support” is the fourth 2015 IT job skill set listed by Techrepublic.
Cybersecurity: Its not just about “B” for Bob, but also eCommerce, Structure, and Trust.
November 3, 2014
PREFACE:
Just the other day, when I was looking over a post on the 5 largest cyberbreaches of 2014 (to date),[1] my mind went back to the Case of Bob,[2] a malfeasing cyber breach insider, on whom I blogged in an earlier post. The top 5 list sequenced a total of 309 million records.[3] That is, I believe, enough to cover stealing one record each, from every Citizen of Canada (34 million), Italy (61 million), France (63 million), the United Kingdom (64 million), and Germany (82 million); at a total of 304 million records, according to their respective population counts in 2013.[4] Looking only domestically, in the United States, this 309 million could account for the loss of a single record (e.g. social security number) for all but 6 million U.S. Citizens in a 315 million population count at 2013.[5] That’s a whole lot of broken (out/into) records![6]
Clearly, this is a big and growing problem. And so, I decided to look a little more closely at that list, focus-in on the non-American example of South Korea,[7] and lay-down a better understanding of why the cyber realm remains so hard to secure – not just from last year’s big breaches at Target,[8] Adobe,[9] and LivingSocial,[10] but persistently and consistently for even those most tech-savvy of U.S. businesses and veterans of the eCommerce and eBanking verticals, including Google/Gmail,[11] Home Depot,[12] JPMorgan Chase & Co,[13] and eBay;[14] along with assorted state and federal government entities.[15]
I will look at the problem from four angles: “B” for Bob, “E” for eCommerce, “S” for Structure, and “T” for Trust; addressing the challenges and opportunities in which, obviously requires certain “b-e-s-t” practices. This is a simplification of an extremely complex issue, but a useful approach, nevertheless.
THE B-ANGLE:
Bob[16] was not the first, nor will he be the last insider to “go rogue”. The debate continues on whether insiders or outsiders are the greater threat.
“The fact that the individual was reportedly able to access and then sell on vast quantities of customer information is very worrying. It should not be the case that an employee – and in this case a temporary consultant – is able to access and then download sensitive data without this suspicious activity being flagged up,” (…)[17]
“It would seem that this case is a classic example of the ‘insider threat’ – that is, the malicious abuse of privileged access. A breach of customer data can spell disaster for a business, due to the loss of customer confidence, revenue and the possibility of severe financial penalties if they are found to have been negligent in the protection of this information.”[18]
However, it is the safest and the highest of best practices, to do one’s utmost best to protect against both, and each through the other, in a figure of eight lattice-work.
Suggested solutions include: proper and more comprehensive onboarding and offboarding; segregation of duties; rigorous credentialing and authorization procedures; real-time access and event logging; training and discipline with enforced usage rules (BYOD, social media, portable media, telecommuting); behavioural guidance including full disclosure of privacy limitations and waivers as applicable (travel and mobile security, regulatory compliance, data governance, eDiscovery, and cybersecurity); and so forth – including ONGOING due diligence on ALL employees, vendors, contractors, and counterparties on these parameters.[19] Just as banks were looking to their law firms to harden cyber defences,[20] regulators and especially financial sector regulators, have also been increasingly focused on the issue of cybersecurity.
“The question we need to all ask as regulators is should we be considering the cyber threat as something as fundamental to institutions as capital levels. I’m not saying yet that they’re equal but we should probably start discussing them in the same breath[.]”[21] The legal community has long weighed-in on this issue for and regarding others, but has only recently and so publicly, been forced to look at its own house, with some resulting and readily available, practical guidance on the starting point for a law firm cyber audit that is easily applicable to other industries.[22]
THE E-ANGLE:
eCommerce is a 5-edged sword (hard to see in reality – especially as anything easy to wield or even effective, but logically easy to conceptualize). There are the two (alleged) counterparties; there are each of the (apparent) originating and destination locations; and then there are the (acceptable, accredited, and accepted) payment parameters. These are the five.
Counterparties are “alleged” because one or more may be fictitious or on a borrowed or pilfered identity. Originating and destination locations may be fronts, dead drops, or non-existent. And the acceptable payment methods may have one party presenting something with false accreditation that is accepted as valid until it is too late to halt the deal;[23] something with proper accreditation that is intercepted before being properly accepted by the intended recipient;[24] or something with proper accreditation that is accepted by a fictitious or otherwise fraudulent counterparty.[25]
Albeit fraught with dangers, eCommerce has become indispensable in an interconnected, and beyond line of sight business world. The best we can do is manage it, harden it in advance, and adapt as and when a new vulnerability is shown in this constant battle for sword edges between victims, and rogues.
THE S-ANGLE:
Now, we look back to South Korea, and ask whether there is any structural strength or weakness that makes the nation a recurring[26] and worthy[27] target for cybercrime; and the answer is a very loud yes.
With a wealthy and tech savvy population that has a GDP/PPP over US $33,000, South Korea in 2013, was Asia’s 4th largest economy, 12th largest in the world, and 10th largest, globally, in terms of trade in merchandise and services, alone.[28] In that same year, the economy grew by 2.8%, and had a projected 2014 growth forecast of 3.5-4%.[29]
Essentially, South Koreans are connected, mobile-friendly, and absolutely just love eCommerce. Nearly 80% of the population is online, which makes it the most connected country in the world.[30] Mobile penetration has also long been high,[31] with 75% of South Koreans using smartphones overall, and a 98% penetration rate for the 18-24 demographic.[32] On the subject of eCommerce, the consultant Borderfree, “found that an increasing number of South Koreans shop overseas retailers to find lower prices, leverage parcel forwarding to save on shipping costs and join online communities to resell imported items they don’t want.”[33] Since at least 2008, it has been quite commonplace for South Koreans to send and receive gift certificates and discount coupons by mobile or smart phone, which can be redeemed just by showing the phone and having it scanned, making coupon clipping (and paper coupons), things of the past.[34]
“From smartphones with flexible, foldable screens to smart refrigerators where you can view the inside contents while shopping; or smart communities, where even your child’s wanderings can be tracked through a central operations centre, Korean companies are on the cutting edge of technology. Each is vying to be the first to develop the Next Big Thing.”[35]
Hence it follows that if everything cyber-new is there, as in methods and applications in a target-rich environment, then every old and new form of cyber offence will also follow into this nation that is essentially structured and functions, as a massive testbed!
This factor is further underscored by the fact that: “South Koreans have on average five credit cards, compared to two in the U.S., and the country has the highest credit card penetration globally. Consumers in South Korea also use credit more often. There are 129.7 credit card transactions per year in South Korea, compared to 77.9 credit card transactions annually in the U.S.”[36] Newer technologies introduced will invariably have often unforeseen vulnerabilities that have yet to be patched, and credit card ownership and use have, to date, hardly proved to be entirely risk-free.
It is therefore no surprise that cyber-criminals will congregate at that confluence of high credit card use, high technology, extreme connectivity and mobility, and intense eCommerce that is South Korea.
THE T-ANGLE:
I have written, elsewhere, that data has very many “faces” – ranging through Form Factors, Applications, Categories, End-users, and Scale; and therefore presenting many attack surfaces vulnerable to myriad and multiplying attack vectors.[37] Yes, we can (and must) generally trust the data of and provided by counterparties in an eCommerce-driven world, but why not also verify? Too few are taking the time to fully go through the steps, due to cost and time concerns. When you receive an email, does the return email match the claimed sender, is the content their usual, are the links or required/suggested actions suspicious in any way? When it is a business, does the contact information match what they list in a directory (remembering that the spoof site found through an internet search is still a spoof site)? If this is a claimed professional, are they registered somewhere in a searchable official or regulatory database with the same contact data? Finally, if it is a financial institution account communication, then do you do business with them? If the answer is no, or your financial services provider does not send you such open login requests, then you should delete the message! These are very basic steps.
Forensic investigations, eDiscovery, disaster preparedness and recovery, and assessing the effect and impact of remediation measures are now greatly aided by better information governance;[38] as well as backups balanced with commonsense and due diligence in knowing what you are getting into with specific situations as a cloud vendor, a cloud user, or a basic data custodian.[39]
CONCLUSION:
Banks had all the money, but data custodians have all the data. Criminals therefore go after the motherlodes of data (financial services entities, telecommunications providers, medical legal and accounting professionals, governments, and other data-loaded intermediaries including high volume vendors – supermarkets, department stores, and hardware stores) where no shotguns or facemasks are needed, because they are unseen and can blend into that stream of blissfully unmonitored eCommerce.
Whether stupendously big, or comparatively small,[40] and even if we don’t hear about them publicly or immediately,[41] there will likely still be hacks for quite some time to come. However, all is far from lost, despite the mind-numbing possibility of staggering single and cumulative future data breaches in new markets,[42] and due to developing mobile and virtual payment and settlement solutions – regardless of the breach’s apparent or alleged nation of origin.
“However, I also think that all threats can be adequately considered when you focus on: (a) achieving buy-in to the need for security protocols and adherence thereto at all levels of the organization; (b) you budget accordingly for training, ERP, and the staff and tolls to deal with the threat universe; and (c) you assiduously enforce best practices, even when it makes (for some) the accessing of preferred apps. or sites inconvenient to impossible, or slows people down a little. I call this cubing the B.”[43]
In the end, it all starts with leadership, because where there is no buy-in for doing what needs to be done from the higher-ups due to cost concerns, short sightedness, or bad advice, there will be little to no I.T. security budget, best practices will be whatever the heck everyone feels like doing at the time, and a breach will surely come.[44]
At the very least, then, in response to Bob & Co. and what they can do, you should sincerely cube that B!
_____________________________________________________
Author:
Ekundayo George is a lawyer and a sociologist. He has also taken courses in organizational and micro-organizational behavior, and has significant experienced in business law and counseling (incorporations, business plans, contracts and non-disclosure agreements, teaming and joint venture agreements), diverse litigation, and regulatory compliance practice. He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S. business advising, outsourcing and cross-border trade, technology contracts, and U.S. financing). See, for example: http://www.ogalaws.com. A writer, blogger, and avid reader, Mr. George has sector experience in Technology (Telecommunications, eCommerce, Outsourcing, Cloud), Financial Services, Healthcare, Entertainment, Real Estate and Zoning, International/cross-border trade, other services, and Environmental Law and Policy. He is a published author on the National Security aspects of Environmental Law, has represented clients in courts and before regulatory bodies in both Canada and the United States, and he enjoys complex systems analysis in legal, technological, and societal milieux.
Mr. George is also an experienced negotiator, facilitator, team leader, and strategic consultant- sourcing, managing, and delivering on large, strategic projects with multiple stakeholders and multidisciplinary teams. Our competencies include program investigation, sub-contracted procurement of personnel and materiel, and such diverse project deliverables as business process re-engineering, devising and delivering tailored training, and other targeted engagements through a highly-credentialed resource pool with several hundred years of combined expertise, in: Healthcare; Education & Training; Law & Regulation; Policy & Plans; Statistics, Economics, & Evaluations including feasibility studies; Infrastructure; and Information Technology/Information Systems (IT/IS) – sometimes also termed Information Communications Technologies, or ICT). See, for example: http://www.simprime-ca.com.
Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.
This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering any professional service, or attorney advertising where restricted or barred. The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein.
***********************************************************************
[1] Chris DiMarco. The top 5 largest cyberbreaches of 2014 (for now). Published October 9, 2014 on insidecounsel.com. Online: >http://www.insidecounsel.com/2014/10/09/the-top-5-largest-cyberbreaches-of-2014-for-now?page=1<
The writer gave these top 5, in ascending order, as: Gmail/Google (5 million), Korea Credit Bureau (20 million), Home Depot (56 million), JPMorgan & Chase Co. (83 million), and eBay (145 million). See also infra, notes 11-14, and 7.
[2] Ekundayo George. Cybersecurity: the Enemy is also (perhaps even more so), Within – the case of “Bob”. Published January 17, 2013 on ogalaws.wordpress.com. Online: >https://ogalaws.wordpress.com/2013/01/17/cybersecurity-the-enemy-is-also-perhaps-even-more-so-within-the-case-of-bob/<
[3] Supra, note 1.
[4] See generally, Wikipedia.
[5] Id.
[6] This is especially true as a sixth big breach has been added since the list was first made, which now fully covers those 6 million “formerly” lucky U.S. Citizens. See e.g. Steve Kovach. Nearly 7 Million Dropbox Passwords Have Been Hacked. Published October 13, 2014, on businessinsider.com. Online: >http://www.businessinsider.com/dropbox-hacked-2014-10<
[7] Initially pegged at 20 million (which number I have retained), the Korea Credit Bureau breach was later re-calculated to have impacted 27 million South Koreans. See Steve Ragan. 27 million South Koreans affected by data breach. Published August 25, 2014, on csoonline.com. Online: >http://www.csoonline.com/article/2597617/data-protection/27-million-south-koreans-affected-by-data-breach.html<
[8] CBC News. Target data hack affected 70 million people. Published January 10, 2014, on cbc.ca. Online: >http://www.cbc.ca/news/business/target-data-hack-affected-70-million-people-1.2491431<
[9] Chris Welch. Over 150 million breached records from Adobe hack have surfaced online. Published November 7, 2013, on theverge.com. Online: >http://www.theverge.com/2013/11/7/5078560/over-150-million-breached-records-from-adobe-hack-surface-online<
[10] Rachel King for Zero Day. LivingSocial confirms hacking; More than 50 million accounts affected. Published April 26, 2013, on zdnet.com. Online: >http://www.zdnet.com/livingsocial-confirms-hacking-more-than-50-million-accounts-affected-7000014606/<
[11] See generally Google Corporate. Cleaning up after password dumps. Published September 10, 2014, on googleonlinesecurity.blogspot.ca. Online: >http://googleonlinesecurity.blogspot.ca/2014/09/cleaning-up-after-password-dumps.html<
[12] Ben Elgin, Michael Riley, and Dune Lawrence. Home Depot Hacked After Months of Security Warnings. Published September 18, 2014, on businessweek.com. Online: >http://www.businessweek.com/articles/2014-09-18/home-depot-hacked-wide-open<
[13] Jim Finkle and Karen Freifeld. States probe JPMorgan Chase as hack seen fueling fraud. Published Friday, October 3, 2014, on reuters.com. Online: >http://www.reuters.com/article/2014/10/03/us-jpmorgan-cybersecurity-idUSKCN0HS1ST20141003<
[14] Jennifer Abel. eBay hacked again? BBC reports hijacked seller accounts. Published September 23, 2014, on consumeraffairs.com. Online: >http://www.consumeraffairs.com/news/ebay-hacked-again-bbc-reports-hijacked-seller-accounts-092314.html<
[15] Administrative Office of the Washington Courts. Washington Courts Data Breach Information Center: Common Questions. Visited November 3, 2014 (regarding a data breach discovered in February/March, 2013). Online: >http://www.courts.wa.gov/newsinfo/?fa=newsinfo.displayContent&theFile=dataBreach/commonQuestions< ;
The Associated Press in Washington. Records of up to 25,000 Homeland Security staff hacked in cyber-attack.
Published Saturday August 23, 2014, on theguardian.com. Online: >http://www.theguardian.com/technology/2014/aug/23/homeland-security-25000-employees-hacked<
[16] Ekundayo George. Cybersecurity: the Enemy is also (perhaps even more so), Within – the case of “Bob”. Published January 17, 2013, on ogalaws.wordpress.com. Online: >https://ogalaws.wordpress.com/2013/01/17/cybersecurity-the-enemy-is-also-perhaps-even-more-so-within-the-case-of-bob/<
[17] Sophie Curtis. Credit card details of 20m South Koreans leaked. Published January 20, 2014, on telegraph.co.uk. Online: >http://www.telegraph.co.uk/technology/internet-security/10584348/Credit-card-details-of-20m-South-Koreans-leaked.html<, comments on the Korea Credit Bureau case by Matt Middleton-Leal, regional director for the UK and Ireland at security firm CyberArk.
[18] Id.
[19] Indeed, both of the monumental hacks – at Target and Korea Credit Bureau, were accomplished through third parties: Krebs on Security, Email Attack on Vendor Set Up Breach at Target. Published February 12, 2014, on Krebsonsecurity.com. Online: >http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/< ; Lucian Ciolacu. Contractor with USB Stick Commits Biggest Credit Card Data Heist in South Korean History. Published January 21, 2014, on hotforsecurity.com. Online: >http://www.hotforsecurity.com/blog/contractor-with-usb-stick-commits-biggest-credit-card-data-heist-in-south-korean-history-7667.html<
As a result, some banks with their own compliance concerns, are now quite nervous about their law firms as vulnerable third parties. See e.g. Jennifer Smith and Emily Glazer of Dow Jones Business News. Banks Demand That Law Firms Harden Cyberattack Defenses. Published October 26, 2014, on nasdaq.com. Online: >
http://www.nasdaq.com/article/banks-demand-that-law-firms-harden-cyberattack-defenses-20141026-00022<
[20] Id. Jennifer Smith and Emily Glazer of Dow Jones Business News.
[21] Kara Scannell in New York. NY bank regulator targets cyber threat. Published October 6, 2014, on ft.com. Online: >http://www.ft.com/cms/s/0/5a981338-4cdf-11e4-a0d7-00144feab7de.html#axzz3HghMk1j4< quote of Benjamin Lawsky, Superintendent for New York’s Department of Financial Services.
[22] Sharon D. Nelson & John W. Simek. Clients Demand Law Firm Cyber Audits. Published in ABA Law Practice Magazine Vol 39, Number 6 (Nov./Dec. 2013) Online: >http://www.americanbar.org/publications/law_practice_magazine/2013/november-december/hot-buttons.html<
[23] As with a stolen credit card, a bounced cheque, or counterfeit cash, for example.
[24] As with a man in the middle attack (spoofed eCommerce website, or legitimate but infected site with cross-site scripting), for example.
[25] As in advance fee fraud, for example.
[26] In July of 2011, two websites (Cyworld and Nate) run by SK Communications of South Korea were breached, resulting in a loss of some 35 million records. “Hackers are believed to have stolen phone numbers, email addresses, names and encrypted information about the sites’ many millions of members.” See BBC. Millions hit in South Korean hack. Published July 28, 2011, on bbc.com. Online: >http://www.bbc.com/news/technology-14323787< . One year later, in July, 2012, South Korean authorities announced arrests in the case of hacks impacting 8.7 million users at KT Corp, the nation’s number one fixed line operator and number two mobile operator.
“The company says hackers stole subscribers’ names, phone and personal identification numbers, and then sold the data to telemarketers.”
“An illegally installed computer program had collected subscribers’ information over several months, KT Corp said.”
See BBC. South Korea arrests phone firm KT Corp hacking suspects. Published July 30, 2012, on bbc.com. Online: >
http://www.bbc.com/news/technology-19048494<
[27] To impact the Personally Identifiable Information (PII) records of 40% of an entire nation’s population in a single stroke, is certainly a major scoop, by any reckoning. Especially ironic, are the circumstances of this hack:
“Customer details appear to have been swiped by a worker at the Korea Credit Bureau, a company that offers risk management and fraud detection services.” (Where were the vendor due diligence, segregation of duties, and the internal fraud controls?) (Emphasis added).
“The worker, who had access to various databases at the firm, is alleged to have secretly copied data onto an external drive over the course of a year and a half.” (Where were the access and event logs, “business need only” access privilege limitations, and random audits?) (Emphasis added).
See Sophia Yan and K.J. Kwon. Massive data theft hits 40% of South Koreans. Published January 21, 2014, on cnn.com. Online: >http://money.cnn.com/2014/01/21/technology/korea-data-hack/< See also supra, note 13, Jim Finkle and Karen Freifeld (JPMorgan Chase & Co.).
[28] Foreign and Commonwealth Office of the United Kingdom. Guidance: Overseas Business Risk – South Korea.
Last updated May 27, 2014, and published on gov.uk. Online: >https://www.gov.uk/government/publications/overseas-business-risk-south-korea/overseas-business-risk-south-korea<
[29] Id.
[30] Daniela Forte. South Korea Stands Out as Ecommerce Market for U.S. Retailers. Published June 19, 2014, on multichannelmerchant.com. Online: >http://multichannelmerchant.com/must-reads/south-korea-stands-out-in-ecommerce-market-for-u-s-retailers-19062014/<
[31] The Associated Press. Korea has nearly as many cell phones as people. Last updated January 28, 2009, and published on nbcnews.com. Online: >http://www.nbcnews.com/id/28893283/ns/technology_and_science-tech_and_gadgets/t/korea-has-nearly-many-cell-phones-people/#.VFKb0xbClGM<
[32] Id., and supra note 30.
[33] Supra note 30.
[34] Reuters. Paper is passe for tech-savvy South Koreans. Published Friday, May 9, 2008, on reuters.com. Online: >http://www.reuters.com/article/2008/05/09/us-korea-coupons-idUSS0914416520080509<
[35] Gordon Hamilton. Asia Pacific report: South Korea now a global technology tiger. Published November 25, 2013, on biv.com. Online: > http://www.biv.com/article/2013/11/asia-pacific-report-south-korea-now-a-global-techn/<
[36] Sarah Jones. South Korea boasts highest global credit card penetration: report. Published June 27, 2014, on luxurydaily.com. Online: >http://www.luxurydaily.com/south-korea-boasts-highest-global-credit-card-penetration-report/<
[37] Ekundayo George. The 100 “FACES” of Data: a 5-part Complex Systems Study (Part 1 – Form Factors). Published November 1, 2013, on ogalaws.wordpress.com. Online: >https://ogalaws.wordpress.com/2013/11/01/the-100-faces-of-data-a-5-part-complex-systems-study-part-1/<
[38] Ekundayo George. To Gatto from Zubulake: 2 Thumbs-up for Better Information Governance/Anti-Spoliation. Published March 31, 2013, on ogalaws.wordpress.com. Online: >https://ogalaws.wordpress.com/2013/03/31/to-gatto-from-zubulake-2-thumbs-up-for-better-information-governanceanti-spoliation/<
[39] Ekundayo George. Data Protection and Retention in the Cloud: Getting it Right. Published March 11, 2013, on ogalaws.wordpress.com. Online: >https://ogalaws.wordpress.com/2013/03/11/data-protection-and-retention-in-the-cloud-getting-it-right/< You cannot leave everything to a vendor or counterparty, if and when you are primarily responsible for your own security and the security of the data that you host at rest, in transit, or subject to access and change, for others.
[40] Terry Collins and Anne D’Innocenzio for The Associated Press. Twitter hackers nab data on 250,000 accounts. Published February 2, 2013, on ottawacitizen.com. Online: >http://www.ottawacitizen.com/business/Twitter+hackers+data+accounts/7911027/story.html<
[41] Ben Elgin, Dune Lawrence and Michael Riley. Coke Gets Hacked And Doesn’t Tell Anyone. Published November 4, 2012, on bloomberg.com. Online: >http://www.bloomberg.com/news/2012-11-04/coke-hacked-and-doesn-t-tell.html< This kind of silence is changing, however, due to increasing regulatory focus on cyber risks and cyber events, and a push for timely and full disclosure and remediation when it may impact the bottom line, systemically important entities, or public or investor confidence.
[42] China and India are the most populous nations on earth, with well over 1 Billion citizens, each; but comparatively (with all other nations) very low ratios of banked citizens, and citizens with access to organized credit facilities. The promised easing of China’s restrictions on foreign credit card issuers paves the way for many of the entry-market credit card products that we see in the West – secured cards, rechargeable cards, debit cards, and the like, along with the juicy fees for annual access, loading, overdrafts, late payments, cash advances, and per transaction. Of course, this will require the taking, keeping, and updating of vast amounts of data on a vast population; creating a single and captive, target rich environment of irresistible size that will remain very vulnerable to any lapses in data governance and/or cyber best practices. See generally Joe McDonald of The Associated Press. China easing credit card monopoly opening door for Visa, MasterCard. Published October 30, 2014, on ctvnews.ca. Online: >http://www.ctvnews.ca/business/china-easing-credit-card-monopoly-opening-door-for-visa-mastercard-1.2078518<
[43] Ekundayo George. Individual (allegedly) Wreaks Havoc with Former Employer – Another Teachable Moment in Infosec. Published May 16, 2013, on wordpress.ogalaws.com. Online: >https://ogalaws.wordpress.com/2013/05/16/individual-allegedly-wreaks-havoc-with-former-employer-another-teachable-moment-in-infosec-2/<
[44] See e.g. Supra note 12, Ben Elgin, Michael Riley, and Dune Lawrence (Home Depot).
Ogalaws 